Lesson 6 - IT risk

Many of today’s IT Risk organizations in large corporations grew out of an IT security function most assessed risks, and most mitigation actions, are in the area of security, so according to Open Security Architecture. However it is essential to understand that in most industries, IT triggered business interruptions are most often caused by human errors, rather than spectacularly malicious attackers and organized crime, this is particularly true for IT project related risks. Therefore traditional IT Security Risks (which largely tend to be discovered for Confidentiality rather than Integrity and particularly Availability (why this is, is in itself an interesting topic and may be covered in a future article)) comprise a relatively small part of the IT Risk Landscape by value, and an even smaller part of the overall corporate risk landscape when compared to operating or credit risks.

There are three main sources of IT-based risk are the following:

Internal Risk

• Information risks

• Process risks

• Cultural risks

• Controls

• Governance

 External Risk

• Third party risks

• Hazards

• Legal & regulatory risks

Criminal Interference

• Viruses & hackers

• Organized crime

• Industrial spies

Main elements of COBIT

COBIT is a framework that specifies management & control of information & related information technologies.

COBIT specifies 4 domains--planning & org., acquisition & implementation, delivery & support, & monitoring & evaluation. IT processes are defined within these domains. Control objectives & control activities are specified for IT processes.

COBIT highlights how the control of IT processes affects IT resources & information.

Important elements of a risk management framework.

• risk category – the general area of risk involved

• policies & st&ards – statements of the general principles surrounding risk decisions, for each risk category

• risk type – the category of buisness outcome associated with the risk category

• risk ownership – the owner assigned to each risk type

• risk mitigation – the controls, practices &/or tools for addressing each type of risk

• risk reporting & monitoring – the mechanisms used to evaluate & monitor risks

Actions that IT managers can take to develop effective risk management capabilities:

• Develop a common language of risk. Simplify the presentation.

• Create risk management that is “right sized” for the level of risk involved.

• Look beyond technical risk. St&ardize the technology base.

• Rehearse the risk mitigation plans. Clarify roles & responsibilities.

• Automate where appropriate & possible. Educate & communicate.

THe main purposes of a business continuity plan are to:

• avoid or mitigate risks.

• reduce the impact of a disaster.

• reduce the amount of time it takes to get back to business as usual.

Business continuity plan with a disaster contingency recovery plan:

Both types of plans deal with issues of recovering from a disaster that impacts the org.’s information systems. A business continuity plan, however, goes further in that it attempts to avoid &/or mitigate risks before they occur.

Three main components of a business continuity plan:

• Business Impact Analysis--identifies the critical functions a business must perform to operate & the risks to these functions; also identifies mitigation & avoidance strategies for these risks.

• Disaster Contingency Recovery Plan (DCRP)--identifies the procedures to be enacted in the event of a disaster.

• Training & Testing--the business continuity plan must be tested & training must be provided to those who will need to enact the plan.

Identify 3 external & 3 internal causes of business interruption. 

The main internal causes of business disruption are:

• hardware or software failure

• system capacity issues

• operational failures

• internal security attack.

The main external causes of business disruption are

• natural disaster

• security attack

• business partner misconduct

• terrorism

• corporate espionage.

4 phases of IT security:

• Technical protection mechanisms in which the focus was on applying technical security mechanisms.

• Management involvement in which information security became incorporated into org.al structures, & top management became involved in the security function.

• Information security culture in which the importance of incorporating security into individual practices was recognized.

• Information security governance in which the security focus incorporates the prevention of risk.

Information Security Governance Framework 3 components: strategic, managerial & operational, & technical.  

Organizational strategy suggests managerial & operational elements of security, which then dictate the technical elements. 

Level B components of the Information Security Governance Framework:

• Leadership & Governance--consists of executive sponsorship & information security strategic planning. Part of the strategic planning process includes defining metrics & measuring information security effectiveness.

• Security Management & Org.--consists of the program org. (information security org.al design & reporting structures) as well as the roles, responsibilities, skills, & experience of the resources devoted to the security architecture. It also deals with legal & regulatory considerations.

• Security Policies--builds on the first 2 components & includes all of the policies, procedures, st&ards, & guidelines comprising “an ‘overall intention & direction as formally expressed by management’”  

• Security Program Management--consists of monitoring, audit, & compliance.

• User Security Management--deals with elements of user awareness of security policy & ethical conduct, as well as education & training.

• Technology Protection & Operations--deals with the technology protection mechanisms & their management & operation.

Factors determining the security actions to apply to a security risk.

• cost of protection

• likelihood of the security event

• cost the org. would incur if the security event occurred

• org.’s risk tolerance

References

Austin. R.D., Nolan, R.L. & O'Donnell, S. (2009). The Adventures of an IT Leader. Boston: Harvard Business School Publishing Corporation. 

IT Risk. (n.d.). Retrieved April 23, 2016, from http://www.opensecurityarchitecture.org/cms/definitions/it-risk

McKeen, J.D. & Smith, H.A. (2012). IT Strategy: Issues and Practices (2nd ed.). New Jersey: Pearson Education, Inc.